DoH Vulnerability in Harden-Runner CI/CD Security Agent by Step Security
CVE-2026-32947

4.6MEDIUM

Key Information:

Vendor: Step-security
Status: Harden-runner
Vendor: CVE Published:; 20 March 2026

🔔 Create Step-security Vulnerability Alert

What is CVE-2026-32947?

A DNS over HTTPS vulnerability in Harden-Runner allows attackers to bypass network restrictions by tunneling exfiltrated data through allowed HTTPS endpoints, using crafted DoH queries to disguise the sensitive information as legitimate traffic. This exploitation requires prior code execution within the GitHub Actions workflow, making it particularly effective for attackers who gain access. The issue was addressed in Harden-Runner version 2.16.0.

Affected Version(s)

harden-runner < 2.16

References

https://github.com/step-security/harden-runner/security/a...

x_refsource_CONFIRM

https://github.com/step-security/harden-runner/releases/t...

x_refsource_MISC

CVSS V4

Score:

4.6

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-32947 Data

JSON